Network Address Translation

Network Address Translation (NAT) is needed when a network uses “illegal” internal IP addresses that it cannot use on the public Internet. A network might use “illegal” IP address for legacy reasons, for privacy, or as an attempt to circumvent the shortage of public IP addresses.

A problem arises from the fact that many companies adopted use of IP in their internal networks and either were sure they would never connect to the Internet or were unaware of its existence. In either case, they just grabbed a convenient NETID and used that block of IP addresses for their network hosts.

Network Address Translation

What happens when such a company attempts to connect its network to the Internet? There is a good chance it will be using someone else’s assigned NETID. After getting a “legal” NETID from its service provider, what’s next? One option is for the offending organization to renumber its network. Obviously this option will solve the problem, but it is not viable for very large private networks. It is impossible to change quickly to a new address scheme, and “illegal” addresses would continue to be used for at least a while.

A similar situation could occur even if a company were connected to the Internet and had received an official NETID from its service provider. What if the company chooses a different service provider? It would return its existing NETID to the original service provider and obtain a new NETID from the new service provider and renumber its network hosts.

An alternative to renumbering is to use network address translation software in a router or special gateway that maps the internal, “illegal” IP addresses to the official, public IP addresses obtained from the (new) service provider. In a way, the NAT device acts as a proxy on behalf of the internal hosts.

A NAT device conserves addresses because it needs only a small number of official IP addresses assigned to it. The NAT device can map the official addresses to internal hosts as needed; it does not require a permanent one-to-one mapping between the private internal addresses and the public external addresses. As a side benefit, the internal addressing scheme becomes invisible to the outside, providing a level of security to the internal network. After all, it is hard to attack what you can't see! Often, increasing privacy or conserving IP addresses is the primary motivation for using NAT.

The transition from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6) can also benefit from NAT. IPv4 uses 32-bit addresses, while IPv6 will use 128-bit addresses. While some networks will make the transition to IPv6 quickly, most will make the transition slowly because they will incur high costs without realizing a significant benefit. Address translation software will provide an easier migration to the new addressing scheme and provide compatibility between IPv4-only and IPv6-only hosts.

Contents

Basic NAT

Basic NAT

NAT is normally used to connect private networks to the public Internet, or to connect two private networks that use the same address space (for instance, when two companies merge and the networks need to be linked together).

Traditional NAT accommodates unidirectional sessions, typically in which a host on the internal private network opens a connection with an external public host. Bidirectional sessions can occur, but require static mappings. Traditional NAT can be categorized as either basic NAT or Network Address Port Translation (NAPT).

Basic NAT maps internal private IP addresses to official external IP addresses on a one-to-one basis. This mapping between internal and external addresses can be either static or dynamic. In either case, only the IP address is mapped.

With static mapping, there obviously is the need for an equal number of internal and external IP addresses. Static mapping has the advantage of each host maintaining a permanent identity, which would be necessary, for example, if an internal host were to function as a Web server. Static NAT does not require the NAT device to maintain any state information about the connections passing through it. A simple mapping table is all that is needed.

With dynamic mapping, a small number of external addresses can accommodate a larger number of internal hosts, with an internal host mapped to an external address only when it actively communicates with the outside Internet. Because of the dynamic nature of the translation, connection state information must be maintained so the NAT device knows when it can release and reuse an external address. Conserving IP addresses is a plus, although the fact that the internal hosts do not maintain a fixed identity to the outside world makes it unsuitable for use with servers. Dynamic mapping also limits the number of internal hosts that can actively communicate with the outside at any given time.
The visual shows a NAT device performing dynamic mapping between internal hosts A and B and external servers C and D. Host A is mapped to the external IP address 208.162.106.100, while host B is mapped to IP address 208.162.106.101.

It is possible to do both static NAT (for servers) and dynamic NAT on the same device.

In the visual, the DHCP server has a static IP address of 192.168.0.5, from the private Class C range, and is configured to assign private addresses to clients from a pool, whose addresses range from 192.168.0.32–192.168.0.254. The File Transfer Protocol (FTP), the World Wide Web (WWW), and the Simple Mail Transfer Protocol (SMTP)/Post Office Protocol version 3 (POP3) servers have static addresses ranging from 192.168.0.2–192.168.0.4. Lastly, the router has a static address of 192.168.0.1 on the internal network and a public address of 208.106.162.1 on the external network. (The external network number is from the ISP address space.)

The ISP assigns its customer a public prefix of 208.132.106.0/28. In this case the customer has addresses 208.162.106.0–208.162.106.7 as public addresses. Given that all 1s and 0s are reserved subnetwork addresses, the customer has six host addresses which range from 208.162.106.1–208.162.106.6. This is a common scenario for customers with a business DSL service.

The router performing the NAT function is configured to statically map the private server addresses to public addresses (e.g., 192.168.0.2–208.162.106.2, 192.168.0.3–208.162.106.3, etc.). Relative to the clients, the router is configured to map all other private addresses (i.e., 192.168.0.32–192.168.0.254) to one public address (i.e., 208.162.106.6) via TCP/UDP port translation. From the Internet it looks as though the host whose address is 208.162.106.6 is very active since all the clients access Internet resources from this one address.

NAT Functions: More Than the IP Layer

More than just translating an IP address, network address translation (NAT) also involves modifying the IP checksum and the TCP checksum. In fact, NAT must modify any occurrence of an IP address above the Internet Layer. Examples are listed below.

The Internet Control Message Protocol (ICMP) embeds the IP header of the control message. Hence, when an ICMP message is sent through a NAT device, the device must change the contents of this embedded header.

FTP includes instances of the IP address in some commands (e.g., the * * FTP Port and passive (PASV) commands).

Domain Name System (DNS) queries contain IP addresses in the DNS header. While most NAT implementations support ICMP, FTP, and DNS, SNMP, IP multicast, and DNS zone transfers are not handled by most NAT implementations. Newer releases of NAT software support TCP/UDP applications that carry the IP address in the application data. Examples of these applications include H.323, RealAudio, and NetMeeting. In general, NATs support any TCP or UDP application that does not carry source and/or a destination IP address in the application protocol.

The IPSecAuthentication Header (AH) ensures that the IP address has not been tampered with. Therefore, NAT cannot be used between two devices using IPSec AH.

NAT and Load Sharing

Load Sharing

Sometimes a technology developed to solve one problem has additional benefits that become apparent only after the technology is used for a while. This is the case with NAT. Designed to solve the problem of a private internal IP address space communicating with the public Internet, NAT has the capability of creating virtual servers on the private network.

The visual shows a private company network attached to the Internet via a NAT device. On the company network are three separate servers (in this example, Web servers). Using NAT, the company can create the appearance of a single virtual server accessible to the outside world. Furthermore, the NAT device can implement a level of load sharing among the multiple real servers.

Here is how it could work. When an external host wants to connect to the company's Web server on the private network, it performs its normal DNS lookup to determine the IP address of the Web server. The company DNS server returns the public IP address of the NAT device. The external host then directs IP packets aimed at the NAT device, using the appropriate server port (port 80 for a Web server). When the packet destined for port 80 arrives at the NAT device, the device can select which internal Web server receives the incoming request. Depending on the algorithm used, the NAT device can achieve load sharing between the three internal Web servers. The algorithm might just switch requests using a simple round-robin approach, or it might use a more sophisticated approach based on the actual loads on individual servers.

In the case where the private internal network has multiple links to the outside, NAT can also perform load sharing in the outgoing direction. If the links terminate at a single NAT device, the device can determine which external connection to use (again, depending on the sophistication of the load-sharing algorithm) and map the internal IP address to the external public address of the link to use. If multiple NAT devices are used, it becomes much more complex because the NAT devices must coordinate connection state information.